Spring4Shell: New info and fixes (CVE-2022-22965)

In this video for Help Net Security, Ax Sharma, Senior Security Researcher at Sonatype, talks about the latest developments regarding Spring4Shell, the unauthenticated RCE zero-day vulnerability in Spring Core whose existence has finally been confirmed by its developers.

Spring4Shell has been catalogued as CVE-2022-22965 and fixed in Spring Framework 5.3.18 and 5.2.20, and Spring Boot (which depends on the Spring Framework) 2.5.12 and 2.6.6.

“The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment,” Spring Framework developers have explained.

“If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”

Sharma offers a short rundown of the situation so far, clears up some misconceptions, and offers advice on what organizations with vulnerable apps should do next – both to plug CVE-2022-22965 and CVE-2022-22963, a RCE in the Spring Cloud Function library, as PoC exploits for both are available online and both are considered to be critical.

UPDATE (April 6, 2022, 05:10 a.m. PT):

The US Cybersecurity and Infrastructure Agency (CISA) has added Spring4Shell to their Known Exploited Vulnerabilities Catalog, but successfull exploitations have still not been documented.